By Topic

Explore More

Customer Success

We know that successful customers don’t just require great products but also training, education and flawless implementations. That’s why we’ve created the Legendary Customer Success program because we want our customers to be legends.

Key Facts About Ransomware

Have you ever wondered about the key issues with ransomware? How it might affect you or even what to look for? Maybe you're simply curious as to how to react when you get hit? Look no further than this whiteboard session with our in-house security expert Matthew Gardiner. He touches on 8 key facts to be aware of with ransomware moving forward.

Matthew Gardiner Whiteboard Podcast

Video Transcription

Hello, I’m Matthew Gardiner. A security specialist here at Mimecast. I’m here to talk to you about the 8 keys facts about ransomware. But before I do that I would like to explain to you exactly what ransomware is. Ransomware is a very popular form of attack with the goal of monetizing your assets. The way in which the hackers do this is by loading in a form of encryption software that encrypts your clients, your servers, and anything they can get their hands on and then ransoming you the key to unlocking it to get back the data back. For 2016, the FBI reported that approximately 1 billion dollars in ransoms are expected to be paid - so it’s a substantial and growing business. There are ways to defend yourself, but you do need to know the keys facts before you can do that.

#1 Email is and will remain for the foreseeable future, the primary delivery mechanism

Why is that? Email is ubiquitous, email is cheap from the attacker’s point of view, and email is easy. And, it’s a trusted source for many people. So people will click on links and open files, with just a little bit of encouragement, enhanced with social engineering. So watch your email, even though it’s not the only source of ransomware infection, it is the primary source.

#2 The business of ransomware has shifted from one focused on consumers to corporations

The second thing is the business of ransomware has shifted, years ago it was a phenomenon that hit consumers, just basically randomly hitting people on the Internet. Which was a reasonable source of money from the attacker's point of view, but corporations and organizations really are a much better source because the assets and the data that can be encrypted and thus ransomed is much more valuable. So you’ve seen a shift in the attacker’s focus from consumers to corporations, which makes complete sense when you think about it.

#3 Ransomware is not only a client-side problem – recent attacks have increasingly targeted server-side applications, such as databases, shared file systems, and customer management systems

Number three and kind of related to number two. Ransomware has shifted from being a purely client side problem, meaning users’ desktops being encrypted - to one that is more ‘server side’ being the focus of the attack. Why is that? Well when you think about the value of a single client vs a server, the server is much more valuable, in that it’s a database or a shared file system or it’s a customer transaction system that has a lot of value to the business vs a desktop that may or may not have a lot of value. So the shift is from the client to the server. Although, clients certainly do still get hit.

#4 Relying on Anti-Virus alone, or really any preventive-only security system, will not work as cybercriminals can work around all of them.

If you think about prevention, probably you’re thinking about your anti-virus. Traditional Anti-Virus isn’t going to be enough, in fact, any preventive system can be bypassed. Because what cybercriminals do is they take preventive systems and they put them into their development environments, and when they are developing an instance of ransomware they test it to make sure those systems can’t don’t detect it and thus can’t defend against it. So a preventive only solution depending primarily on anti-virus is not going to cut it for advanced forms of ransomware.

#5 The rise of crimeware kits, TOR, Bitcoin and sketchy, multi-lingual call centers, as well as other complementary services, has enabled non-technical cybercriminals to execute ransomware campaigns by assembling an ecosystem.

Why is ransomware hitting now more than in years past?

1st - It is largely because ancillary services that what an attacker needs are now readily available. What do I mean by that? For example, crimeware kits, an attacker can go to the market and get a kit for building a ransomware attack, he doesn’t have to build the technology himself, he can essentially go and buy it in the market.

2nd - Second, Bitcoin, if you can’t be paid anonymously it’s hard to be a ransomware criminal. Because you can’t use the credit card network or PayPal because those are not anonymous and if and when you get reported it will come back to the attacker. Whereas Bitcoin doesn’t know who owns it and doesn’t really keep track of how you got it.

3rd - Things like TOR - the onion router - the network used to essentially hide the client and server communications, so attackers can hide on the TOR network. And with this it’s very hard to track where the attack is actually coming from.

4th - Call centers, so in some cases, you need to communicate with the attackers, and so there are actually call centers for hire that will help support these criminal enterprises in multiple languages. So if you’re English you can actually choose the English speaker version, if your German you can hit the German speaker in these call centers.

There are many other examples of the ecosystem of products and services that attackers leverage as part of their ransomware and other types of criminal campaigns.

#6 Ransomware Can be Distributed into Existing Botnets – Splitting the $

There are other ways ransomware can be distributed, not just via email. We have examples of BOTNETS, zombie computers that are run by a botnet master and can be used for many purposes. One of the main purposes is becoming more common is for the delivery of ransomware. So if your machine is part of a botnet, it could be part of a ransomware campaign in the future. There are other ways to get infected with ransomware more than just botnets, you could have poisoned USBs and other ways. So it’s important to remember that while email is the primary attack method there are other methods that can, in fact, get you into a ransomware bind.

#7 It can only be combated using a two-layer method. They are technology, herd alertness.

You can defend yourself with technology and what we call “HERD” awareness. So there is technology that exists, services that exist that go beyond traditional, preventive controls. Things like Sandboxing, security email gateways in the cloud, those sorts of things can be applied to help prevent and others that can actually address a ransomware infection even when it has occurred.

The “Herd” alertness relates to user awareness. The more the users can be aware of both what not to do and what to do to not get infected with ransomware. And if they do those things anyway, to understand what has happened is really, really valuable. Your organization can detect essentially a ransomware campaign, process and better defend and react to it if your herd, your users, can better understand the importance in taking part in your defense plan.

#8 A three-tier approach is needed to protect yourself. Prevention, Continue and Recovery

Really the best way to think about a defensive program is in three-tiers.

Prevent

So try to maximize your prevention with some of the methods I mentioned. But don’t think these will be fool-proof. Make sure you have a continuity plan so you can keep operating in the midst of an attack

Continuity

For example if a user’s machine is hit, how the user is going to business, how are they going to send and receive email while their systems are being fixed. Same on the server side, if servers go down, you need to have a plan- including a ransomware plan. Just like in the case of if a hurricane hit, business needs to be able to keep on going.

Archiving/Recovery

You need to have a recovery plan, like a disaster recovery plan, where you’re consistently archiving, backing up and setting yourself up for quick recovery, because you never want to get in a situation where you have to pay a ransom, because it only feeds into the criminal cycle. And if you pay the ransom once, they will come after you again to try and get more money.

Again, these are the 8 key facts about how to better prepare yourself and defend against ransomware. I hope these help, - Thank you.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox